--- /dev/null
+From 9aadde91b3c035413c806619beb3e3ef6e697953 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Fri, 22 Sep 2017 17:22:19 -0400
+Subject: extable: Consolidate *kernel_text_address() functions
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 9aadde91b3c035413c806619beb3e3ef6e697953 upstream.
+
+The functionality between kernel_text_address() and _kernel_text_address()
+is the same except that _kernel_text_address() does a little more (that
+function needs a rename, but that can be done another time). Instead of
+having duplicate code in both, simply have _kernel_text_address() calls
+kernel_text_address() instead.
+
+This is marked for stable because there's an RCU bug that can happen if
+one of these functions gets called while RCU is not watching. That fix
+depends on this fix to keep from having to write the fix twice.
+
+Fixes: 0be964be0 ("module: Sanitize RCU usage and locking")
+Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/extable.c | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+--- a/kernel/extable.c
++++ b/kernel/extable.c
+@@ -102,15 +102,7 @@ int core_kernel_data(unsigned long addr)
+
+ int __kernel_text_address(unsigned long addr)
+ {
+- if (core_kernel_text(addr))
+- return 1;
+- if (is_module_text_address(addr))
+- return 1;
+- if (is_ftrace_trampoline(addr))
+- return 1;
+- if (is_kprobe_optinsn_slot(addr) || is_kprobe_insn_slot(addr))
+- return 1;
+- if (is_bpf_text_address(addr))
++ if (kernel_text_address(addr))
+ return 1;
+ /*
+ * There might be init symbols in saved stacktraces.
--- /dev/null
+From e8cac8b1d10589be45671a5ade0926a639b543b7 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Fri, 22 Sep 2017 17:36:32 -0400
+Subject: extable: Enable RCU if it is not watching in kernel_text_address()
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit e8cac8b1d10589be45671a5ade0926a639b543b7 upstream.
+
+If kernel_text_address() is called when RCU is not watching, it can cause an
+RCU bug because is_module_text_address(), the is_kprobe_*insn_slot()
+and is_bpf_text_address() functions require the use of RCU.
+
+Only enable RCU if it is not currently watching before it calls
+is_module_text_address(). The use of rcu_nmi_enter() is used to enable RCU
+because kernel_text_address() can happen pretty much anywhere (like an NMI),
+and even from within an NMI. It is called via save_stack_trace() that can be
+called by any WARN() or tracing function, which can happen while RCU is not
+watching (for example, going to or coming from idle, or during CPU take down
+or bring up).
+
+Fixes: 0be964be0 ("module: Sanitize RCU usage and locking")
+Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/extable.c | 35 ++++++++++++++++++++++++++++++-----
+ 1 file changed, 30 insertions(+), 5 deletions(-)
+
+--- a/kernel/extable.c
++++ b/kernel/extable.c
+@@ -119,17 +119,42 @@ int __kernel_text_address(unsigned long
+
+ int kernel_text_address(unsigned long addr)
+ {
++ bool no_rcu;
++ int ret = 1;
++
+ if (core_kernel_text(addr))
+ return 1;
++
++ /*
++ * If a stack dump happens while RCU is not watching, then
++ * RCU needs to be notified that it requires to start
++ * watching again. This can happen either by tracing that
++ * triggers a stack trace, or a WARN() that happens during
++ * coming back from idle, or cpu on or offlining.
++ *
++ * is_module_text_address() as well as the kprobe slots
++ * and is_bpf_text_address() require RCU to be watching.
++ */
++ no_rcu = !rcu_is_watching();
++
++ /* Treat this like an NMI as it can happen anywhere */
++ if (no_rcu)
++ rcu_nmi_enter();
++
+ if (is_module_text_address(addr))
+- return 1;
++ goto out;
+ if (is_ftrace_trampoline(addr))
+- return 1;
++ goto out;
+ if (is_kprobe_optinsn_slot(addr) || is_kprobe_insn_slot(addr))
+- return 1;
++ goto out;
+ if (is_bpf_text_address(addr))
+- return 1;
+- return 0;
++ goto out;
++ ret = 0;
++out:
++ if (no_rcu)
++ rcu_nmi_exit();
++
++ return ret;
+ }
+
+ /*
--- /dev/null
+From 3c8415cc7aff467faba25841fb859660ac14a04e Mon Sep 17 00:00:00 2001
+From: Steve Wise <swise@opengridcomputing.com>
+Date: Tue, 5 Sep 2017 11:52:33 -0700
+Subject: iw_cxgb4: drop listen destroy replies if no ep found
+
+From: Steve Wise <swise@opengridcomputing.com>
+
+commit 3c8415cc7aff467faba25841fb859660ac14a04e upstream.
+
+If the thread waiting for a CLOSE_LISTSRV_RPL times out and bails,
+then we need to handle a subsequent CPL if it arrives and the stid has
+been released. In this case silently drop it.
+
+Signed-off-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/cxgb4/cm.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/infiniband/hw/cxgb4/cm.c
++++ b/drivers/infiniband/hw/cxgb4/cm.c
+@@ -2333,9 +2333,14 @@ static int close_listsrv_rpl(struct c4iw
+ unsigned int stid = GET_TID(rpl);
+ struct c4iw_listen_ep *ep = get_ep_from_stid(dev, stid);
+
++ if (!ep) {
++ pr_debug("%s stid %d lookup failure!\n", __func__, stid);
++ goto out;
++ }
+ pr_debug("%s ep %p\n", __func__, ep);
+ c4iw_wake_up(&ep->com.wr_wait, status2errno(rpl->status));
+ c4iw_put_ep(&ep->com);
++out:
+ return 0;
+ }
+
--- /dev/null
+From 3d318605f5e32ff44fb290d9b67573b34213c4c8 Mon Sep 17 00:00:00 2001
+From: Steve Wise <swise@opengridcomputing.com>
+Date: Wed, 13 Sep 2017 09:52:32 -0700
+Subject: iw_cxgb4: put ep reference in pass_accept_req()
+
+From: Steve Wise <swise@opengridcomputing.com>
+
+commit 3d318605f5e32ff44fb290d9b67573b34213c4c8 upstream.
+
+The listening endpoint should always be dereferenced at the end of
+pass_accept_req().
+
+Fixes: f86fac79afec ("RDMA/iw_cxgb4: atomic find and reference for listening endpoints")
+
+Signed-off-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/cxgb4/cm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/cxgb4/cm.c
++++ b/drivers/infiniband/hw/cxgb4/cm.c
+@@ -2599,9 +2599,9 @@ fail:
+ c4iw_put_ep(&child_ep->com);
+ reject:
+ reject_cr(dev, hwtid, skb);
++out:
+ if (parent_ep)
+ c4iw_put_ep(&parent_ep->com);
+-out:
+ return 0;
+ }
+
--- /dev/null
+From 8b1bbf36b7452c4acb20e91948eaa5e225ea6978 Mon Sep 17 00:00:00 2001
+From: Steve Wise <swise@opengridcomputing.com>
+Date: Tue, 5 Sep 2017 11:52:34 -0700
+Subject: iw_cxgb4: remove the stid on listen create failure
+
+From: Steve Wise <swise@opengridcomputing.com>
+
+commit 8b1bbf36b7452c4acb20e91948eaa5e225ea6978 upstream.
+
+If a listen create fails, then the server tid (stid) is incorrectly left
+in the stid idr table, which can cause a touch-after-free if the stid
+is looked up and the already freed endpoint is touched. So make sure
+and remove it in the error path.
+
+Signed-off-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/cxgb4/cm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/cxgb4/cm.c
++++ b/drivers/infiniband/hw/cxgb4/cm.c
+@@ -3463,7 +3463,7 @@ int c4iw_create_listen(struct iw_cm_id *
+ cm_id->provider_data = ep;
+ goto out;
+ }
+-
++ remove_handle(ep->com.dev, &ep->com.dev->stid_idr, ep->stid);
+ cxgb4_free_stid(ep->com.dev->rdev.lldi.tids, ep->stid,
+ ep->com.local_addr.ss_family);
+ fail2:
--- /dev/null
+From 6ae033689d7b1a419def78e8e990b0eab8bb6419 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Mon, 18 Sep 2017 15:16:08 +0300
+Subject: mmc: sdhci-pci: Fix voltage switch for some Intel host controllers
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit 6ae033689d7b1a419def78e8e990b0eab8bb6419 upstream.
+
+Some Intel host controllers (e.g. CNP) use an ACPI device-specific method
+to ensure correct voltage switching. Fix voltage switch for those, by
+adding a call to the DSM.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci-pci-core.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/drivers/mmc/host/sdhci-pci-core.c
++++ b/drivers/mmc/host/sdhci-pci-core.c
+@@ -393,6 +393,7 @@ static const struct sdhci_pci_fixes sdhc
+
+ enum {
+ INTEL_DSM_FNS = 0,
++ INTEL_DSM_V18_SWITCH = 3,
+ INTEL_DSM_DRV_STRENGTH = 9,
+ INTEL_DSM_D3_RETUNE = 10,
+ };
+@@ -558,6 +559,19 @@ static void intel_hs400_enhanced_strobe(
+ sdhci_writel(host, val, INTEL_HS400_ES_REG);
+ }
+
++static void sdhci_intel_voltage_switch(struct sdhci_host *host)
++{
++ struct sdhci_pci_slot *slot = sdhci_priv(host);
++ struct intel_host *intel_host = sdhci_pci_priv(slot);
++ struct device *dev = &slot->chip->pdev->dev;
++ u32 result = 0;
++ int err;
++
++ err = intel_dsm(intel_host, dev, INTEL_DSM_V18_SWITCH, &result);
++ pr_debug("%s: %s DSM error %d result %u\n",
++ mmc_hostname(host->mmc), __func__, err, result);
++}
++
+ static const struct sdhci_ops sdhci_intel_byt_ops = {
+ .set_clock = sdhci_set_clock,
+ .set_power = sdhci_intel_set_power,
+@@ -566,6 +580,7 @@ static const struct sdhci_ops sdhci_inte
+ .reset = sdhci_reset,
+ .set_uhs_signaling = sdhci_set_uhs_signaling,
+ .hw_reset = sdhci_pci_hw_reset,
++ .voltage_switch = sdhci_intel_voltage_switch,
+ };
+
+ static void byt_read_dsm(struct sdhci_pci_slot *slot)
--- /dev/null
+From 28585a832602747cbfa88ad8934013177a3aae38 Mon Sep 17 00:00:00 2001
+From: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
+Date: Fri, 22 Sep 2017 14:10:22 -0700
+Subject: rcu: Allow for page faults in NMI handlers
+
+From: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+
+commit 28585a832602747cbfa88ad8934013177a3aae38 upstream.
+
+A number of architecture invoke rcu_irq_enter() on exception entry in
+order to allow RCU read-side critical sections in the exception handler
+when the exception is from an idle or nohz_full CPU. This works, at
+least unless the exception happens in an NMI handler. In that case,
+rcu_nmi_enter() would already have exited the extended quiescent state,
+which would mean that rcu_irq_enter() would (incorrectly) cause RCU
+to think that it is again in an extended quiescent state. This will
+in turn result in lockdep splats in response to later RCU read-side
+critical sections.
+
+This commit therefore causes rcu_irq_enter() and rcu_irq_exit() to
+take no action if there is an rcu_nmi_enter() in effect, thus avoiding
+the unscheduled return to RCU quiescent state. This in turn should
+make the kernel safe for on-demand RCU voyeurism.
+
+Link: http://lkml.kernel.org/r/20170922211022.GA18084@linux.vnet.ibm.com
+
+Fixes: 0be964be0 ("module: Sanitize RCU usage and locking")
+Reported-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/rcu/tree.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/kernel/rcu/tree.c
++++ b/kernel/rcu/tree.c
+@@ -888,6 +888,11 @@ void rcu_irq_exit(void)
+
+ RCU_LOCKDEP_WARN(!irqs_disabled(), "rcu_irq_exit() invoked with irqs enabled!!!");
+ rdtp = this_cpu_ptr(&rcu_dynticks);
++
++ /* Page faults can happen in NMI handlers, so check... */
++ if (READ_ONCE(rdtp->dynticks_nmi_nesting))
++ return;
++
+ WARN_ON_ONCE(IS_ENABLED(CONFIG_RCU_EQS_DEBUG) &&
+ rdtp->dynticks_nesting < 1);
+ if (rdtp->dynticks_nesting <= 1) {
+@@ -1020,6 +1025,11 @@ void rcu_irq_enter(void)
+
+ RCU_LOCKDEP_WARN(!irqs_disabled(), "rcu_irq_enter() invoked with irqs enabled!!!");
+ rdtp = this_cpu_ptr(&rcu_dynticks);
++
++ /* Page faults can happen in NMI handlers, so check... */
++ if (READ_ONCE(rdtp->dynticks_nmi_nesting))
++ return;
++
+ oldval = rdtp->dynticks_nesting;
+ rdtp->dynticks_nesting++;
+ WARN_ON_ONCE(IS_ENABLED(CONFIG_RCU_EQS_DEBUG) &&
--- /dev/null
+From 66a733ea6b611aecf0119514d2dddab5f9d6c01e Mon Sep 17 00:00:00 2001
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Wed, 27 Sep 2017 09:25:30 -0600
+Subject: seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+commit 66a733ea6b611aecf0119514d2dddab5f9d6c01e upstream.
+
+As Chris explains, get_seccomp_filter() and put_seccomp_filter() can end
+up using different filters. Once we drop ->siglock it is possible for
+task->seccomp.filter to have been replaced by SECCOMP_FILTER_FLAG_TSYNC.
+
+Fixes: f8e529ed941b ("seccomp, ptrace: add support for dumping seccomp filters")
+Reported-by: Chris Salls <chrissalls5@gmail.com>
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+[tycho: add __get_seccomp_filter vs. open coding refcount_inc()]
+Signed-off-by: Tycho Andersen <tycho@docker.com>
+[kees: tweak commit log]
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/seccomp.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+--- a/kernel/seccomp.c
++++ b/kernel/seccomp.c
+@@ -458,14 +458,19 @@ static long seccomp_attach_filter(unsign
+ return 0;
+ }
+
++void __get_seccomp_filter(struct seccomp_filter *filter)
++{
++ /* Reference count is bounded by the number of total processes. */
++ refcount_inc(&filter->usage);
++}
++
+ /* get_seccomp_filter - increments the reference count of the filter on @tsk */
+ void get_seccomp_filter(struct task_struct *tsk)
+ {
+ struct seccomp_filter *orig = tsk->seccomp.filter;
+ if (!orig)
+ return;
+- /* Reference count is bounded by the number of total processes. */
+- refcount_inc(&orig->usage);
++ __get_seccomp_filter(orig);
+ }
+
+ static inline void seccomp_filter_free(struct seccomp_filter *filter)
+@@ -476,10 +481,8 @@ static inline void seccomp_filter_free(s
+ }
+ }
+
+-/* put_seccomp_filter - decrements the ref count of tsk->seccomp.filter */
+-void put_seccomp_filter(struct task_struct *tsk)
++static void __put_seccomp_filter(struct seccomp_filter *orig)
+ {
+- struct seccomp_filter *orig = tsk->seccomp.filter;
+ /* Clean up single-reference branches iteratively. */
+ while (orig && refcount_dec_and_test(&orig->usage)) {
+ struct seccomp_filter *freeme = orig;
+@@ -488,6 +491,12 @@ void put_seccomp_filter(struct task_stru
+ }
+ }
+
++/* put_seccomp_filter - decrements the ref count of tsk->seccomp.filter */
++void put_seccomp_filter(struct task_struct *tsk)
++{
++ __put_seccomp_filter(tsk->seccomp.filter);
++}
++
+ static void seccomp_init_siginfo(siginfo_t *info, int syscall, int reason)
+ {
+ memset(info, 0, sizeof(*info));
+@@ -908,13 +917,13 @@ long seccomp_get_filter(struct task_stru
+ if (!data)
+ goto out;
+
+- get_seccomp_filter(task);
++ __get_seccomp_filter(filter);
+ spin_unlock_irq(&task->sighand->siglock);
+
+ if (copy_to_user(data, fprog->filter, bpf_classic_proglen(fprog)))
+ ret = -EFAULT;
+
+- put_seccomp_filter(task);
++ __put_seccomp_filter(filter);
+ return ret;
+
+ out:
--- /dev/null
+From 10859f3855db4c6f10dc7974ff4b3a292f3de8e0 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 7 Sep 2017 16:32:46 -0700
+Subject: selftests/seccomp: Support glibc 2.26 siginfo_t.h
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 10859f3855db4c6f10dc7974ff4b3a292f3de8e0 upstream.
+
+The 2.26 release of glibc changed how siginfo_t is defined, and the earlier
+work-around to using the kernel definition are no longer needed. The old
+way needs to stay around for a while, though.
+
+Reported-by: Seth Forshee <seth.forshee@canonical.com>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Will Drewry <wad@chromium.org>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: linux-kselftest@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Tested-by: Seth Forshee <seth.forshee@canonical.com>
+Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/testing/selftests/seccomp/seccomp_bpf.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
++++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
+@@ -6,10 +6,18 @@
+ */
+
+ #include <sys/types.h>
+-#include <asm/siginfo.h>
+-#define __have_siginfo_t 1
+-#define __have_sigval_t 1
+-#define __have_sigevent_t 1
++
++/*
++ * glibc 2.26 and later have SIGSYS in siginfo_t. Before that,
++ * we need to use the kernel's siginfo.h file and trick glibc
++ * into accepting it.
++ */
++#if !__GLIBC_PREREQ(2, 26)
++# include <asm/siginfo.h>
++# define __have_siginfo_t 1
++# define __have_sigval_t 1
++# define __have_sigevent_t 1
++#endif
+
+ #include <errno.h>
+ #include <linux/filter.h>
+@@ -676,7 +684,7 @@ TEST_F_SIGNAL(TRAP, ign, SIGSYS)
+ syscall(__NR_getpid);
+ }
+
+-static struct siginfo TRAP_info;
++static siginfo_t TRAP_info;
+ static volatile int TRAP_nr;
+ static void TRAP_action(int nr, siginfo_t *info, void *void_context)
+ {
brd-fix-overflow-in-__brd_direct_access.patch
gfs2-fix-debugfs-glocks-dump.patch
bsg-lib-don-t-free-job-in-bsg_prepare_job.patch
+iw_cxgb4-drop-listen-destroy-replies-if-no-ep-found.patch
+iw_cxgb4-remove-the-stid-on-listen-create-failure.patch
+iw_cxgb4-put-ep-reference-in-pass_accept_req.patch
+rcu-allow-for-page-faults-in-nmi-handlers.patch
+mmc-sdhci-pci-fix-voltage-switch-for-some-intel-host-controllers.patch
+extable-consolidate-kernel_text_address-functions.patch
+extable-enable-rcu-if-it-is-not-watching-in-kernel_text_address.patch
+selftests-seccomp-support-glibc-2.26-siginfo_t.h.patch
+seccomp-fix-the-usage-of-get-put_seccomp_filter-in-seccomp_get_filter.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
